Guidelines 08/2020 on the targeting of social media users – version for public consultation

Section 6.2  Right of access (Article 15)

92 Data controllers must enable users to easily and fully exercise their data subjects’ rights. An easy-to-use and efficient tool should be available for the data subject to ensure the easy exercise of all of their rights, at any time, in particular the right of erasure, objection, and the right of access pursuant to Article 15 GDPR. The following paragraphs focus on how and by whom the right of access should be accommodated in the context of targeting of social media users.

93 In general, to fulfill the requirements of Article 15 (1) GDPR and to ensure full transparency, controllers may want to consider implementing a mechanism for data subjects to check their profile, including details of the information and sources used to develop it. The data subject is entitled to learn of the identity of the targeter, and controllers must facilitate access to information regarding the targeting, including the targeting criteria that were used, as well as the other information required by Article 15 GDPR.

94 As regards the kind of access to be provided to data subjects, recital 63 advises that “[w]here possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.” The specific features of social media providers – the online environment, the existence of a user account – suggest the possibility to easily grant the data subject with remote access to the personal data concerning him or her in accordance with Article15 (1), (2) GDPR. Remote access in this case can be regarded as the most “appropriate measure” in the sense of Article 12 (1) GDPR, also taking into account the fact that this is a typical situation “where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected” (see recital 58, which explicitly adds “online advertising” as concrete example). In addition, if requested, social media users who have been targeted should also be given a copy of the personal data relating to them in accordance with Article 15(3) GDPR.

95 According to Article 15(1)(c) GDPR, the user shall have access in particular to information on “the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations”. According to Article 4(9), the term “recipient” refers to a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether they area third party or not. A targeter will not necessarily be a “recipient” of the personal data (see Example 1), as the personal data might not be disclosed to it, but it will receive statistics of the targeted customers in aggregated or anonymised form, e.g. as part of its campaign, or in a performance review of the same. Nevertheless, to the extent that the targeter acts as a joint controller, it must be identified as such to the social media user.

96 Although Article 15 GDPR is not explicitly identified in Article 26 (1) GDPR, the wording of this Article refers to all “responsibilities for compliance” under GDPR, which includes Article 15 GDPR.

97 In order to enable data subjects to exercise their rights in an effective and easily accessible way, the arrangement between the social media provider and the targeter may designate a single point ofcontact for data subjects. Joint controllers are in principle free to determine amongst themselves who should be in charge of responding to and complying with data subject requests, but they cannot exclude the possibility for the data subject to exercise his or her rights in respect of and against each of them (Article 26 (3) of the GDPR). Hence, targeters and social media providers must ensure that a suitable mechanism is in place to allow the data subjects to obtain access to his or her personal data in a user-friendly manner (including the targeting criteria used) and all information required by Article15 of the GDPR.